Customers of a number of UK clothing and accessories websites have had their personal information exposed following a security breach at an IT services provider that they were sharing.
Brands such as Jaded London, AX Paris, Elle Belle Attire, Perfect Handbags, DLSB (Dirty Little Style Bitch), and Traffic People entrusted web development and ecommerce company Fashion Nexus to help them build an online store.
Unfortunately, something went wrong (Fashion Nexus, and its sister company White Room Solutions, refuses to say what), and white hat hacker Taylor Ralston was able to access a server containing a shared database containing personal details of the online clothing stores’ customers.
In all, the exposed information contains personal information of approximately 1.3 million users, including password hashes (MD5 and SHA-1, both salted), names, dates of birth, email addresses, phone numbers, and other data. There is no indication that payment card information was put at risk.
When I asked White Room if they would be issuing a statement, their response was pretty emphatic.
(By the way, in an unconnected boo-boo, the White Room Solutions and Fashion Nexus websites don’t support HTTPS - which doesn’t exactly instil confidence that they’re top of their game when it comes to advising on ecommerce.)
However, White Room Solutions does tell me that it has informed the affected brands, and that it is leaving it up to the affected brands to contact their exposed customers about their data being breached, as well as inform the Information Commissioner’s Office (ICO).
White Room Solutions were also prepared to confirm to me privately that they had resolved the security issue:
“The breach was via a site that has subsequently been taken down and is considered resolved.”
I can find no mention of the data breach on the websites of the brands involved, so new customers will not know that there have been security problems in the past.
If any customers of the affected online stores happen to read this I would be fascinated to hear if you have received a notification from the websites concerned, warning you that your personal data was put at risk.
Update 31 July 2018: One of the affected firms, Jaded London, has issued the following statement:
Jaded London are aware of a data breach that affected a historic database, stored on a server run by Fashion Nexus. The information that was accessible at this time was limited to data related to shipping of archived orders and no time was sensitive data, such as payment details, stored or accessible. Jadedldn.com is not and was not managed by Fashion Nexus at the time of the breach, and at no time was the Jadedldn.com live website compromised. As part of our dedication to the security of our customers and their data, we are in contact with the ICO and continue to review our security with our current developers and providers. We would welcome any customers who are concerned about their data to contact us directly.